1010import org .springframework .security .config .annotation .method .configuration .EnableMethodSecurity ;
1111import org .springframework .security .config .annotation .web .builders .HttpSecurity ;
1212import org .springframework .security .config .annotation .web .configuration .EnableWebSecurity ;
13+ import org .springframework .security .config .annotation .web .configurers .AbstractHttpConfigurer ;
1314import org .springframework .security .config .http .SessionCreationPolicy ;
1415import org .springframework .security .data .repository .query .SecurityEvaluationContextExtension ;
1516import org .springframework .security .web .SecurityFilterChain ;
@@ -26,20 +27,56 @@ public class WebSecurityConfig {
2627
2728 @ Bean
2829 protected SecurityFilterChain securityFilterChain (HttpSecurity http ) throws Exception {
29- http .authorizeHttpRequests ((auth ) -> auth
30- .requestMatchers (HttpMethod .GET , "/identity" ).authenticated ()
31- .requestMatchers (HttpMethod .GET , "/users" ).authenticated ()
32- .requestMatchers (HttpMethod .POST , "/users" ).anonymous ()
33- .requestMatchers (HttpMethod .POST , "/users/*" ).denyAll ()
34- .requestMatchers (HttpMethod .POST , "/*/*" ).authenticated ()
35- .requestMatchers (HttpMethod .PUT , "/*/*" ).authenticated ()
36- .requestMatchers (HttpMethod .PATCH , "/*/*" ).authenticated ()
37- .requestMatchers (HttpMethod .DELETE , "/*/*" ).authenticated ()
38- .anyRequest ().permitAll ())
39- .csrf ((csrf ) -> csrf .disable ())
40- .sessionManagement ((session ) -> session .sessionCreationPolicy (SessionCreationPolicy .STATELESS ))
41- .cors ((cors ) -> cors .configurationSource (corsConfigurationSource ()))
42- .httpBasic ((httpBasic ) -> httpBasic .realmName ("demo" ));
30+ http .authorizeHttpRequests ((auth ) -> auth
31+ .requestMatchers (HttpMethod .GET , "/identity" ).authenticated ()
32+ // Users
33+ .requestMatchers (HttpMethod .GET , "/users" ).authenticated ()
34+ .requestMatchers (HttpMethod .POST , "/users" ).anonymous ()
35+ .requestMatchers (HttpMethod .GET , "/users/{username}" ).anonymous ()
36+ .requestMatchers (HttpMethod .POST , "/users/*" ).denyAll ()
37+ // Admins
38+ .requestMatchers (HttpMethod .GET , "/admins" ).hasRole ("ADMIN" )
39+ .requestMatchers (HttpMethod .POST , "/admins" ).hasRole ("ADMIN" )
40+ .requestMatchers (HttpMethod .GET , "/admins/{username}" ).hasRole ("ADMIN" )
41+ .requestMatchers (HttpMethod .POST , "/admins/*/suspend" ).hasRole ("ADMIN" )
42+ .requestMatchers (HttpMethod .POST , "/admins/*" ).denyAll ()
43+ //Creators
44+ .requestMatchers (HttpMethod .GET , "/creators" ).hasRole ("ADMIN" )
45+ .requestMatchers (HttpMethod .POST , "/creators" ).permitAll ()
46+ .requestMatchers (HttpMethod .GET , "/creators/{username}" ).permitAll ()
47+ .requestMatchers (HttpMethod .PUT , "/creators/{username}" ).hasRole ("ADMIN" )
48+ .requestMatchers (HttpMethod .PUT , "/creators/*/profile" ).authenticated ()
49+ .requestMatchers (HttpMethod .POST , "/creators/*" ).hasRole ("ADMIN" )
50+
51+ // Projects
52+ .requestMatchers (HttpMethod .GET , "/projects/search/findByVisibility" ).permitAll ()
53+ .requestMatchers (HttpMethod .GET , "/projects/search/findByPortfolioAndVisibility" ).permitAll ()
54+ .requestMatchers (HttpMethod .GET , "/projects/**" ).authenticated ()
55+ .requestMatchers (HttpMethod .POST , "/projects" ).authenticated ()
56+ .requestMatchers (HttpMethod .PUT , "/projects/*" ).authenticated ()
57+ .requestMatchers (HttpMethod .PATCH , "/projects/*" ).authenticated ()
58+ .requestMatchers (HttpMethod .DELETE , "/projects/*" ).authenticated ()
59+ // Portfolios
60+ .requestMatchers (HttpMethod .GET , "/portfolios/search/findByVisibility" ).permitAll ()
61+ .requestMatchers (HttpMethod .GET , "/portfolios/*/owner" ).permitAll ()
62+ .requestMatchers (HttpMethod .GET , "/portfolios/**" ).authenticated ()
63+ // Tags
64+ .requestMatchers (HttpMethod .POST , "/tags" ).hasRole ("ADMIN" )
65+ .requestMatchers (HttpMethod .DELETE , "/tags/*" ).hasRole ("ADMIN" )
66+ // Profile
67+ .requestMatchers (HttpMethod .POST , "/profiles" ).hasRole ("CREATOR" )
68+ // Default
69+
70+ .requestMatchers (HttpMethod .POST , "/*/*" ).authenticated ()
71+ .requestMatchers (HttpMethod .PUT , "/*/*" ).authenticated ()
72+ .requestMatchers (HttpMethod .PATCH , "/*/*" ).authenticated ()
73+ .requestMatchers (HttpMethod .DELETE , "/*/*" ).authenticated ()
74+ .anyRequest ().permitAll ())
75+ .csrf (AbstractHttpConfigurer ::disable )
76+ .sessionManagement ((session ) ->
77+ session .sessionCreationPolicy (SessionCreationPolicy .STATELESS ))
78+ .cors ((cors ) -> cors .configurationSource (corsConfigurationSource ()))
79+ .httpBasic ((httpBasic ) -> httpBasic .realmName ("demo" ));
4380 return http .build ();
4481 }
4582
0 commit comments